The use of social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB) (collectively, “financial institutions”), may increase the financial institutions’ risk profile. The Guidance does not impose additional obligations but is intended to better inform financial institutions of potential consumer compliance, legal, reputation, and operational risks, as well as the expectations for managing those risks.3

In light of the Guidance, it is increasingly important that financial institutions build the issues discussed in the Guidance into their risk assessment process as well as their enterprise-wide compliance management program when using social media to communicate with customers.

The boards of directors of financial institutions also must ensure that qualified management is in place to monitor changes in the social media delivery channels as well as the content on the financial institution’s social media page or site.

Compliance Risk Management Expectations for Social Media

The Guidance advises financial institutions to maintain risk management programs to identify, measure, monitor, and control risks related to social media. Such a program should include:

1. A governance structure with clear roles and responsibilities for the board of directors or senior management to direct how social media will contribute to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establish controls and ongoing assessment of risk in social media activities;
2. Policies and procedures on the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance, which should incorporate methodologies to address risks from online postings, edits, replies, and retention;
3. A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
4. An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
5. An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
6. Audit and compliance functions to ensure compliance with internal policies and all applicable laws, regulations, and guidance; and
7. Parameters for reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the social media programs’ effectiveness, including in achieving its stated objectives.

Each financial institution must ensure compliance on social media with all federal, state, and local laws, regulations, and guidance. The Guidance provides the following nonexclusive list of laws and regulations that may be relevant.

The use of social media is almost sure to raise complications in regard to involvement by employees and third parties. Together with the potential for consumer complaints and inquiries, privacy concerns, brand misuse or even fraud, the reputation risks for financial institutions are a serious concern.

To address the fraudulent use of the financial institution’s brand, such as through phishing or spoofing, the Guidance recommends the use of social media monitoring tools and to implement policies that allow for timely monitoring and response.

Importantly, the Guidance places the responsibility of “regularly” monitoring the information placed on social media sites upon the financial institutions, even when such functions are contracted out to third parties.4

The Guidance also, unsurprisingly, advises financial institutions to maintain procedures that address the risk of confidential or sensitive information (e.g., account numbers) being posted on the financial institution’s social media page or site.

Financial institutions, moreover, should have policies that address employee participation in social media.

The Guidance advises financial institutions to have monitoring procedures in place, such as using monitoring software, to ensure that inquiries, complaints, or comments are timely and appropriately addressed. Most other industries that have developed social media guidelines have not highlighted the importance of this practice. Yet, with respect to financial institutions, in addition to the reputation risks, serious compliance issues are implicated when a customer uses social media to initiate a dispute, whether “an error dispute under Regulation E, a billing error under Regulation Z, or a direct dispute about information furnished to a consumer reporting agency under FCRA and its implementing regulations.”

C. Operational Risks

The Guidance defines “operational risk” as “the risk of loss resulting from inadequate or failed processes, people, or systems,” including the risks posed by the use of information technology (IT).5 Particularly, the Guidance advises financial institutions to ensure that their controls and procedures to thwart and respond to IT security risks – e.g., malicious software, a data breach, or an account hack – address social media.

____________________1 The six members of the FFIEC are: the Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the “Agencies”); and the State Liaison Committee (SLC). 2 Social Media: Consumer Compliance Risk Management Guidance, Federal Financial Institutions Examination Council, 78 Fed. Reg. 4848 (Jan. 23, 2013), https://federalregister.gov/a/2013-01255. 3 Comments must be received by March 25, 2013, and after consideration, the Agencies will issue the supervisory guidance. 4 Guidance from the Agencies addressing third-party relationships is generally available on their respective Web sites. 5 The identification, monitoring, and management of IT-related risks are addressed in the FFIEC Information Technology Examination Handbook, as well as other supervisory guidance issued by the FFIEC or individual agencies.

Email Disclaimer

Sending an email will not establish an attorney-client relationship. You should not send us any information that you want treated confidentially. By clicking Accept you acknowledge that we may review and use any information you transmit to us.